Buffer overflow Detailed

Source: Internet
Author: User
Buffer overflow Detailed
1 Buffer Overflow principle

A buffer is a contiguous area of computer memory that can hold multiple instances of the same data type. Buffers can be stacks (automatic variables), heaps (dynamic memory), and static data areas (global or static). In C + + languages, buffers are typically implemented using memory allocation functions such as character arrays and malloc/new. The overflow index is added outside the memory block that is allocated to the buffer. Buffer overflow is the most common program flaw.

The introduction of stack frame structure provides direct hardware support for implementing functions or procedure calls in high-level languages, but it also poses a hidden danger to system security because important data such as function return address is stored in the programmer's visible stack. If the function return address is modified to point to a carefully arranged malicious code, the purpose of endangering the system security can be achieved. In addition, the correct recovery of the stack depends on the correctness of the EBP value of the pressure stack, but ebp domain adjacent to local variables, if the programming intentionally or unintentionally through the local variable address offset to tamper with the EBP value, then the behavior of the program will become very dangerous.

Because of the absence of array-crossing checking mechanisms in the C + + language, a buffer overflow occurs when the data written to the local array buffer exceeds the size allocated for it. An attacker can use a buffer overflow to tamper with the process runtime stack, thereby altering the normal flow of the program, which causes the program to crash, and the heavy system privilege to be stolen.

For example, for the stack structure of the following illustration:

If you assign a 16-byte string to a ACARRBUF array, the system starts to populate the stack space from acarrbuf[0 to the high address, resulting in overwriting the EBP value and function return address. If an attacker overwrites the contents of the return address with a meaningful address (or a segment error), the function returns to execute the attack code that was arranged in advance at that address. The most common means of making a program run a user shell by making a buffer overflow, and then executing other commands through the shell. If the program has root or suid Execute permissions, the attacker will get a shell with root privileges, which can be used to do any operation on the system.

In addition to changing the return address by making a stack buffer overflow, you can also overwrite local variables (especially function pointers) to exploit buffer overflow defects.

Note that the stack buffer overflow described in this article differs from the generalized "stack Overflow (stack OverFlow)", which, in addition to the bounds of the local array and memory overlay, may also be caused by too many call hierarchies (in particular, recursive functions) or too large local variables. 2 buffer Overflow instance

This section provides an example of a number of buffer overflow related procedures. The first three examples are manual modifications to return addresses or arguments, and the latter two examples are local array access and buffer overflow. More in-depth buffer overflow attacks see the relevant information.

The example function must contain the STDIO.H header file and include the string.h header file (such as the strcpy function) on demand.

"Example 1" Changes the return address of a function so that it returns to a specified instruction position instead of the position immediately following the function call. The implementation principle is to modify the return address in the function body to find the location of the return address and modify it. The code is as follows:

1//foo.c
 2 void foo (void) {
 3     int A, *p;
 4     p = (int*) ((char *) &a +);  Let P point to the return address of the stack when the main function calls Foo, equivalent to P = (int*) (&a + 3);
 5     *p + +;    Modify the value of the address so that it points to the starting address of a directive
 6}
 7 int main (void) {
 8     foo ();
 9     printf ("The call\n");     printf ("Second printf call\n");
return     0;
12}
View Code

Compile run, result output second printf call, no output of the A-i-printf call.

The following is a detailed description of the origins of the two 12 in the code.

After compiling (gcc main.c–g) and disassembly (Objdump a.out–d), the assembly code fragment is as follows:

From the above assembly code, it is known that the instruction address behind Foo (that is, the return address pressed in when Foo is invoked) is 0X80483B8, and the address of the instruction to invoke printf ("Second printf call") is 0X80483C4. The difference is 12, so the value of the return address plus 12 can be (*p + + 12).

Directive <804838a> assigns the address of -8 (%EBP) to the%eax Register (p = &a). The variable A in the Foo () function is stored on the -8 (%EBP) address, and the address is 8+4=12 up to the return address ((char *) &a + 12). Modifying this address content (*p + + 12) enables you to jump to the second printf function call when the function call ends.

Use GDB to view the value (%ESP) of the top of the stack when the assembly instruction just entered Foo, as follows:

The visible%esp value is indeed the address of the next order to be executed in main after Foo is invoked, and the code modifies that value. %eip points to the directive address of the current program (foo).

"Sample 2" temporarily runaway the return address of the function to modify its value so that the function returns to the address of the Detour function, and the Detour function attempts to return to the main function by returning the previously saved address. The code is as follows:

1//runaway.c
 2 int gprevret = 0;//Save function return address
 3 void detour (void) {
 4     int *p = (int*) &p + 2;  P points to the return address of the function
 5     *p = Gprevret;
 6     printf ("Run away!\n");//require a carriage return, or fflush (stdout) after printing; refresh the buffer, or you may not be able to output
 7}
 8 int runaway (void) {
 9 on a segment error     int *p = (int*) &p + 2;
Ten     Gprevret = *p;
One     *p = (int) detour;
return     0;
'
int main (void) {     runaway ();     printf ("Come home!\n");
return     0;
18}
View Code

Compile run after output:

Run away!

Come home!

Run away!

Come home!

Segmentation fault

A segment error occurred after running. There must be something wrong. The reason for the error is left to the reader to think about, and here's another version of the code that gets the return address (instead of estimating the stack frame structure) with the assembly.

1 register void *gebp __asm__ ("%ebp");
 2 void Detour (void) {
 3     * ((int *) GEBP + 1) = Gprevret;
 4     printf ("Run away!\n");
 5}
 6 int runaway (void) {
 7     gprevret = * (int *) GEBP + 1);
 8     * (int *) GEBP + 1) = detour;
 9 return     0;
10}
View Code

"Example 3" modifies the melody function pointer variable within the called function, causing the program to crash when the pointer is subsequently accessed. The code is as follows:

 1//crasher.c 2 typedef struct{3 int member1;
 4 int member2;
 5}t_strt;
 6 T_strt gtteststrt = {0};
 7 register void *gebp __asm__ ("%EBP");     8 9 void Crasher (T_strt *ptstrt) {f ("[%s]: EBP =%p (0x%08x) \ n", __function__, GEBP, * ((int*) gebp)); 11
printf ("[%s]: PTSTRT =%p (%p) \ n", __function__, &PTSTRT, PTSTRT);
printf ("[%s]: (1) =%p (0x%08x) \ n", __function__, ((int*) &ptstrt-2), * ((int*) &ptstrt-2)); 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.